Advisories

HHS’ Proposed Modifications To HIPAA Privacy Rule Do Not Ease Need For Compliance Preparation

April 15, 2002

On March 27, 2002, The U.S. Department of Health and Human Services ("HHS") published proposed changes to the HIPAA Privacy Rule, which took effect on April 14, 2001, with a compliance deadline of April 14, 2003. The biggest surprise in the new proposed regulations is HHS’ decision to make obtaining consent an option rather than a requirement. In other words, a patient would no longer have to sign a HIPAA consent form in order to permit the use or disclosure of the patient’s protected health information ("PHI") for purposes of treatment, payment or health care operations. Numerous privacy advocates, including Senator Ted Kennedy, have vowed to oppose this proposed change.

A number of the other newly proposed regulations issued on March 27 were expected based on a privacy guidance issued last July by HHS, which stated its intention to modify or eliminate some of the unintended effects of the final Privacy Rule, particularly in the areas of consent, the minimum necessary standard, marketing and fundraising. 

Entities subject to The Privacy Rule ("Covered Entities"), employers, and business associates need to realize that while the privacy requirements will continue to evolve, the Privacy Rule’s final compliance date of April 14, 2003, remains. Affected parties are strongly urged to continue their HIPAA assessment and compliance efforts without delay rather than wait for the final version of these proposed regulations, which may not be issued for several months.